2 * Copyright (C) 2014 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 package com.android.server.connectivity;
19 import static android.Manifest.permission.CHANGE_NETWORK_STATE;
20 import static android.Manifest.permission.CONNECTIVITY_INTERNAL;
21 import static android.Manifest.permission.CONNECTIVITY_USE_RESTRICTED_NETWORKS;
22 import static android.Manifest.permission.INTERNET;
23 import static android.Manifest.permission.NETWORK_STACK;
24 import static android.Manifest.permission.UPDATE_DEVICE_STATS;
25 import static android.content.pm.PackageInfo.REQUESTED_PERMISSION_GRANTED;
26 import static android.content.pm.PackageManager.GET_PERMISSIONS;
27 import static android.content.pm.PackageManager.MATCH_ANY_USER;
28 import static android.os.Process.INVALID_UID;
29 import static android.os.Process.SYSTEM_UID;
31 import android.annotation.NonNull;
32 import android.content.Context;
33 import android.content.pm.ApplicationInfo;
34 import android.content.pm.PackageInfo;
35 import android.content.pm.PackageManager;
36 import android.content.pm.PackageManager.NameNotFoundException;
37 import android.content.pm.PackageManagerInternal;
38 import android.content.pm.UserInfo;
39 import android.net.INetd;
40 import android.net.UidRange;
41 import android.os.Build;
42 import android.os.RemoteException;
43 import android.os.ServiceSpecificException;
44 import android.os.UserHandle;
45 import android.os.UserManager;
46 import android.system.OsConstants;
47 import android.util.ArraySet;
48 import android.util.Log;
49 import android.util.SparseArray;
50 import android.util.SparseIntArray;
52 import com.android.internal.annotations.GuardedBy;
53 import com.android.internal.annotations.VisibleForTesting;
54 import com.android.internal.util.ArrayUtils;
55 import com.android.internal.util.IndentingPrintWriter;
56 import com.android.server.LocalServices;
57 import com.android.server.SystemConfig;
59 import java.util.ArrayList;
60 import java.util.Collection;
61 import java.util.HashMap;
62 import java.util.HashSet;
63 import java.util.List;
65 import java.util.Map.Entry;
70 * A utility class to inform Netd of UID permisisons.
71 * Does a mass update at boot and then monitors for app install/remove.
75 public class PermissionMonitor {
76 private static final String TAG = "PermissionMonitor";
77 private static final boolean DBG = true;
78 protected static final Boolean SYSTEM = Boolean.TRUE;
79 protected static final Boolean NETWORK = Boolean.FALSE;
80 private static final int VERSION_Q = Build.VERSION_CODES.Q;
82 private final PackageManager mPackageManager;
83 private final UserManager mUserManager;
84 private final INetd mNetd;
86 // Values are User IDs.
88 private final Set<Integer> mUsers = new HashSet<>();
90 // Keys are app uids. Values are true for SYSTEM permission and false for NETWORK permission.
92 private final Map<Integer, Boolean> mApps = new HashMap<>();
94 // Keys are active non-bypassable and fully-routed VPN's interface name, Values are uid ranges
95 // for apps under the VPN
97 private final Map<String, Set<UidRange>> mVpnUidRanges = new HashMap<>();
99 // A set of appIds for apps across all users on the device. We track appIds instead of uids
100 // directly to reduce its size and also eliminate the need to update this set when user is
103 private final Set<Integer> mAllApps = new HashSet<>();
105 private class PackageListObserver implements PackageManagerInternal.PackageListObserver {
107 private int getPermissionForUid(int uid) {
109 // Check all the packages for this UID. The UID has the permission if any of the
110 // packages in it has the permission.
111 String[] packages = mPackageManager.getPackagesForUid(uid);
112 if (packages != null && packages.length > 0) {
113 for (String name : packages) {
114 final PackageInfo app = getPackageInfo(name);
115 if (app != null && app.requestedPermissions != null) {
116 permission |= getNetdPermissionMask(app.requestedPermissions,
117 app.requestedPermissionsFlags);
121 // The last package of this uid is removed from device. Clean the package up.
122 permission = INetd.PERMISSION_UNINSTALLED;
128 public void onPackageAdded(String packageName, int uid) {
129 sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
133 public void onPackageChanged(@NonNull String packageName, int uid) {
134 sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
138 public void onPackageRemoved(String packageName, int uid) {
139 sendPackagePermissionsForUid(uid, getPermissionForUid(uid));
143 public PermissionMonitor(Context context, INetd netd) {
144 mPackageManager = context.getPackageManager();
145 mUserManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
149 // Intended to be called only once at startup, after the system is ready. Installs a broadcast
150 // receiver to monitor ongoing UID changes, so this shouldn't/needn't be called again.
151 public synchronized void startMonitoring() {
154 PackageManagerInternal pmi = LocalServices.getService(PackageManagerInternal.class);
156 pmi.getPackageList(new PackageListObserver());
158 loge("failed to get the PackageManagerInternal service");
160 List<PackageInfo> apps = mPackageManager.getInstalledPackages(GET_PERMISSIONS
167 SparseIntArray netdPermsUids = new SparseIntArray();
169 for (PackageInfo app : apps) {
170 int uid = app.applicationInfo != null ? app.applicationInfo.uid : INVALID_UID;
174 mAllApps.add(UserHandle.getAppId(uid));
176 boolean isNetwork = hasNetworkPermission(app);
177 boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
179 if (isNetwork || hasRestrictedPermission) {
180 Boolean permission = mApps.get(uid);
181 // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
182 // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
183 if (permission == null || permission == NETWORK) {
184 mApps.put(uid, hasRestrictedPermission);
188 //TODO: unify the management of the permissions into one codepath.
189 int otherNetdPerms = getNetdPermissionMask(app.requestedPermissions,
190 app.requestedPermissionsFlags);
191 netdPermsUids.put(uid, netdPermsUids.get(uid) | otherNetdPerms);
194 List<UserInfo> users = mUserManager.getUsers(true); // exclude dying users
196 for (UserInfo user : users) {
201 final SparseArray<ArraySet<String>> systemPermission =
202 SystemConfig.getInstance().getSystemPermissions();
203 for (int i = 0; i < systemPermission.size(); i++) {
204 ArraySet<String> perms = systemPermission.valueAt(i);
205 int uid = systemPermission.keyAt(i);
206 int netdPermission = 0;
207 // Get the uids of native services that have UPDATE_DEVICE_STATS or INTERNET permission.
209 netdPermission |= perms.contains(UPDATE_DEVICE_STATS)
210 ? INetd.PERMISSION_UPDATE_DEVICE_STATS : 0;
211 netdPermission |= perms.contains(INTERNET)
212 ? INetd.PERMISSION_INTERNET : 0;
214 netdPermsUids.put(uid, netdPermsUids.get(uid) | netdPermission);
216 log("Users: " + mUsers.size() + ", Apps: " + mApps.size());
217 update(mUsers, mApps, true);
218 sendPackagePermissionsToNetd(netdPermsUids);
222 static boolean isVendorApp(@NonNull ApplicationInfo appInfo) {
223 return appInfo.isVendor() || appInfo.isOem() || appInfo.isProduct();
227 protected int getDeviceFirstSdkInt() {
228 return Build.VERSION.FIRST_SDK_INT;
232 boolean hasPermission(@NonNull final PackageInfo app, @NonNull final String permission) {
233 if (app.requestedPermissions == null || app.requestedPermissionsFlags == null) {
236 final int index = ArrayUtils.indexOf(app.requestedPermissions, permission);
237 if (index < 0 || index >= app.requestedPermissionsFlags.length) return false;
238 return (app.requestedPermissionsFlags[index] & REQUESTED_PERMISSION_GRANTED) != 0;
242 boolean hasNetworkPermission(@NonNull final PackageInfo app) {
243 return hasPermission(app, CHANGE_NETWORK_STATE);
247 boolean hasRestrictedNetworkPermission(@NonNull final PackageInfo app) {
248 // TODO : remove this check in the future(b/31479477). All apps should just
249 // request the appropriate permission for their use case since android Q.
250 if (app.applicationInfo != null) {
251 // Backward compatibility for b/114245686, on devices that launched before Q daemons
252 // and apps running as the system UID are exempted from this check.
253 if (app.applicationInfo.uid == SYSTEM_UID && getDeviceFirstSdkInt() < VERSION_Q) {
257 if (app.applicationInfo.targetSdkVersion < VERSION_Q
258 && isVendorApp(app.applicationInfo)) {
262 return hasPermission(app, CONNECTIVITY_INTERNAL)
263 || hasPermission(app, NETWORK_STACK)
264 || hasPermission(app, CONNECTIVITY_USE_RESTRICTED_NETWORKS);
267 /** Returns whether the given uid has using background network permission. */
268 public synchronized boolean hasUseBackgroundNetworksPermission(final int uid) {
269 // Apps with any of the CHANGE_NETWORK_STATE, NETWORK_STACK, CONNECTIVITY_INTERNAL or
270 // CONNECTIVITY_USE_RESTRICTED_NETWORKS permission has the permission to use background
271 // networks. mApps contains the result of checks for both hasNetworkPermission and
272 // hasRestrictedNetworkPermission. If uid is in the mApps list that means uid has one of
273 // permissions at least.
274 return mApps.containsKey(uid);
277 private int[] toIntArray(Collection<Integer> list) {
278 int[] array = new int[list.size()];
280 for (Integer item : list) {
286 private void update(Set<Integer> users, Map<Integer, Boolean> apps, boolean add) {
287 List<Integer> network = new ArrayList<>();
288 List<Integer> system = new ArrayList<>();
289 for (Entry<Integer, Boolean> app : apps.entrySet()) {
290 List<Integer> list = app.getValue() ? system : network;
291 for (int user : users) {
292 list.add(UserHandle.getUid(user, app.getKey()));
297 mNetd.networkSetPermissionForUser(INetd.PERMISSION_NETWORK, toIntArray(network));
298 mNetd.networkSetPermissionForUser(INetd.PERMISSION_SYSTEM, toIntArray(system));
300 mNetd.networkClearPermissionForUser(toIntArray(network));
301 mNetd.networkClearPermissionForUser(toIntArray(system));
303 } catch (RemoteException e) {
304 loge("Exception when updating permissions: " + e);
309 * Called when a user is added. See {link #ACTION_USER_ADDED}.
311 * @param user The integer userHandle of the added user. See {@link #EXTRA_USER_HANDLE}.
315 public synchronized void onUserAdded(int user) {
317 loge("Invalid user in onUserAdded: " + user);
322 Set<Integer> users = new HashSet<>();
324 update(users, mApps, true);
328 * Called when an user is removed. See {link #ACTION_USER_REMOVED}.
330 * @param user The integer userHandle of the removed user. See {@link #EXTRA_USER_HANDLE}.
334 public synchronized void onUserRemoved(int user) {
336 loge("Invalid user in onUserRemoved: " + user);
341 Set<Integer> users = new HashSet<>();
343 update(users, mApps, false);
347 protected Boolean highestPermissionForUid(Boolean currentPermission, String name) {
348 if (currentPermission == SYSTEM) {
349 return currentPermission;
352 final PackageInfo app = mPackageManager.getPackageInfo(name, GET_PERMISSIONS);
353 final boolean isNetwork = hasNetworkPermission(app);
354 final boolean hasRestrictedPermission = hasRestrictedNetworkPermission(app);
355 if (isNetwork || hasRestrictedPermission) {
356 currentPermission = hasRestrictedPermission;
358 } catch (NameNotFoundException e) {
360 loge("NameNotFoundException " + name);
362 return currentPermission;
366 * Called when a package is added. See {link #ACTION_PACKAGE_ADDED}.
368 * @param packageName The name of the new package.
369 * @param uid The uid of the new package.
373 public synchronized void onPackageAdded(String packageName, int uid) {
374 // If multiple packages share a UID (cf: android:sharedUserId) and ask for different
375 // permissions, don't downgrade (i.e., if it's already SYSTEM, leave it as is).
376 final Boolean permission = highestPermissionForUid(mApps.get(uid), packageName);
377 if (permission != mApps.get(uid)) {
378 mApps.put(uid, permission);
380 Map<Integer, Boolean> apps = new HashMap<>();
381 apps.put(uid, permission);
382 update(mUsers, apps, true);
385 // If the newly-installed package falls within some VPN's uid range, update Netd with it.
386 // This needs to happen after the mApps update above, since removeBypassingUids() depends
387 // on mApps to check if the package can bypass VPN.
388 for (Map.Entry<String, Set<UidRange>> vpn : mVpnUidRanges.entrySet()) {
389 if (UidRange.containsUid(vpn.getValue(), uid)) {
390 final Set<Integer> changedUids = new HashSet<>();
391 changedUids.add(uid);
392 removeBypassingUids(changedUids, /* vpnAppUid */ -1);
393 updateVpnUids(vpn.getKey(), changedUids, true);
396 mAllApps.add(UserHandle.getAppId(uid));
400 * Called when a package is removed. See {link #ACTION_PACKAGE_REMOVED}.
402 * @param uid containing the integer uid previously assigned to the package.
406 public synchronized void onPackageRemoved(int uid) {
407 // If the newly-removed package falls within some VPN's uid range, update Netd with it.
408 // This needs to happen before the mApps update below, since removeBypassingUids() depends
409 // on mApps to check if the package can bypass VPN.
410 for (Map.Entry<String, Set<UidRange>> vpn : mVpnUidRanges.entrySet()) {
411 if (UidRange.containsUid(vpn.getValue(), uid)) {
412 final Set<Integer> changedUids = new HashSet<>();
413 changedUids.add(uid);
414 removeBypassingUids(changedUids, /* vpnAppUid */ -1);
415 updateVpnUids(vpn.getKey(), changedUids, false);
418 // If the package has been removed from all users on the device, clear it form mAllApps.
419 if (mPackageManager.getNameForUid(uid) == null) {
420 mAllApps.remove(UserHandle.getAppId(uid));
423 Map<Integer, Boolean> apps = new HashMap<>();
424 Boolean permission = null;
425 String[] packages = mPackageManager.getPackagesForUid(uid);
426 if (packages != null && packages.length > 0) {
427 for (String name : packages) {
428 permission = highestPermissionForUid(permission, name);
429 if (permission == SYSTEM) {
430 // An app with this UID still has the SYSTEM permission.
431 // Therefore, this UID must already have the SYSTEM permission.
437 if (permission == mApps.get(uid)) {
438 // The permissions of this UID have not changed. Nothing to do.
440 } else if (permission != null) {
441 mApps.put(uid, permission);
442 apps.put(uid, permission);
443 update(mUsers, apps, true);
446 apps.put(uid, NETWORK); // doesn't matter which permission we pick here
447 update(mUsers, apps, false);
451 private static int getNetdPermissionMask(String[] requestedPermissions,
452 int[] requestedPermissionsFlags) {
454 if (requestedPermissions == null || requestedPermissionsFlags == null) return permissions;
455 for (int i = 0; i < requestedPermissions.length; i++) {
456 if (requestedPermissions[i].equals(INTERNET)
457 && ((requestedPermissionsFlags[i] & REQUESTED_PERMISSION_GRANTED) != 0)) {
458 permissions |= INetd.PERMISSION_INTERNET;
460 if (requestedPermissions[i].equals(UPDATE_DEVICE_STATS)
461 && ((requestedPermissionsFlags[i] & REQUESTED_PERMISSION_GRANTED) != 0)) {
462 permissions |= INetd.PERMISSION_UPDATE_DEVICE_STATS;
468 private PackageInfo getPackageInfo(String packageName) {
470 PackageInfo app = mPackageManager.getPackageInfo(packageName, GET_PERMISSIONS
473 } catch (NameNotFoundException e) {
479 * Called when a new set of UID ranges are added to an active VPN network
481 * @param iface The active VPN network's interface name
482 * @param rangesToAdd The new UID ranges to be added to the network
483 * @param vpnAppUid The uid of the VPN app
485 public synchronized void onVpnUidRangesAdded(@NonNull String iface, Set<UidRange> rangesToAdd,
487 // Calculate the list of new app uids under the VPN due to the new UID ranges and update
488 // Netd about them. Because mAllApps only contains appIds instead of uids, the result might
489 // be an overestimation if an app is not installed on the user on which the VPN is running,
491 final Set<Integer> changedUids = intersectUids(rangesToAdd, mAllApps);
492 removeBypassingUids(changedUids, vpnAppUid);
493 updateVpnUids(iface, changedUids, true);
494 if (mVpnUidRanges.containsKey(iface)) {
495 mVpnUidRanges.get(iface).addAll(rangesToAdd);
497 mVpnUidRanges.put(iface, new HashSet<UidRange>(rangesToAdd));
502 * Called when a set of UID ranges are removed from an active VPN network
504 * @param iface The VPN network's interface name
505 * @param rangesToRemove Existing UID ranges to be removed from the VPN network
506 * @param vpnAppUid The uid of the VPN app
508 public synchronized void onVpnUidRangesRemoved(@NonNull String iface,
509 Set<UidRange> rangesToRemove, int vpnAppUid) {
510 // Calculate the list of app uids that are no longer under the VPN due to the removed UID
511 // ranges and update Netd about them.
512 final Set<Integer> changedUids = intersectUids(rangesToRemove, mAllApps);
513 removeBypassingUids(changedUids, vpnAppUid);
514 updateVpnUids(iface, changedUids, false);
515 Set<UidRange> existingRanges = mVpnUidRanges.getOrDefault(iface, null);
516 if (existingRanges == null) {
517 loge("Attempt to remove unknown vpn uid Range iface = " + iface);
520 existingRanges.removeAll(rangesToRemove);
521 if (existingRanges.size() == 0) {
522 mVpnUidRanges.remove(iface);
527 * Compute the intersection of a set of UidRanges and appIds. Returns a set of uids
529 * 1. falls into one of the UidRange
530 * 2. matches one of the appIds
532 private Set<Integer> intersectUids(Set<UidRange> ranges, Set<Integer> appIds) {
533 Set<Integer> result = new HashSet<>();
534 for (UidRange range : ranges) {
535 for (int userId = range.getStartUser(); userId <= range.getEndUser(); userId++) {
536 for (int appId : appIds) {
537 final int uid = UserHandle.getUid(userId, appId);
538 if (range.contains(uid)) {
548 * Remove all apps which can elect to bypass the VPN from the list of uids
550 * An app can elect to bypass the VPN if it hold SYSTEM permission, or if its the active VPN
553 * @param uids The list of uids to operate on
554 * @param vpnAppUid The uid of the VPN app
556 private void removeBypassingUids(Set<Integer> uids, int vpnAppUid) {
557 uids.remove(vpnAppUid);
558 uids.removeIf(uid -> mApps.getOrDefault(uid, NETWORK) == SYSTEM);
562 * Update netd about the list of uids that are under an active VPN connection which they cannot
565 * This is to instruct netd to set up appropriate filtering rules for these uids, such that they
566 * can only receive ingress packets from the VPN's tunnel interface (and loopback).
568 * @param iface the interface name of the active VPN connection
569 * @param add {@code true} if the uids are to be added to the interface, {@code false} if they
570 * are to be removed from the interface.
572 private void updateVpnUids(String iface, Set<Integer> uids, boolean add) {
573 if (uids.size() == 0) {
578 mNetd.firewallAddUidInterfaceRules(iface, toIntArray(uids));
580 mNetd.firewallRemoveUidInterfaceRules(toIntArray(uids));
582 } catch (ServiceSpecificException e) {
583 // Silently ignore exception when device does not support eBPF, otherwise just log
584 // the exception and do not crash
585 if (e.errorCode != OsConstants.EOPNOTSUPP) {
586 loge("Exception when updating permissions: ", e);
588 } catch (RemoteException e) {
589 loge("Exception when updating permissions: ", e);
594 * Called by PackageListObserver when a package is installed/uninstalled. Send the updated
595 * permission information to netd.
597 * @param uid the app uid of the package installed
598 * @param permissions the permissions the app requested and netd cares about.
603 void sendPackagePermissionsForUid(int uid, int permissions) {
604 SparseIntArray netdPermissionsAppIds = new SparseIntArray();
605 netdPermissionsAppIds.put(uid, permissions);
606 sendPackagePermissionsToNetd(netdPermissionsAppIds);
610 * Called by packageManagerService to send IPC to netd. Grant or revoke the INTERNET
611 * and/or UPDATE_DEVICE_STATS permission of the uids in array.
613 * @param netdPermissionsAppIds integer pairs of uids and the permission granted to it. If the
614 * permission is 0, revoke all permissions of that uid.
619 void sendPackagePermissionsToNetd(SparseIntArray netdPermissionsAppIds) {
621 Log.e(TAG, "Failed to get the netd service");
624 ArrayList<Integer> allPermissionAppIds = new ArrayList<>();
625 ArrayList<Integer> internetPermissionAppIds = new ArrayList<>();
626 ArrayList<Integer> updateStatsPermissionAppIds = new ArrayList<>();
627 ArrayList<Integer> noPermissionAppIds = new ArrayList<>();
628 ArrayList<Integer> uninstalledAppIds = new ArrayList<>();
629 for (int i = 0; i < netdPermissionsAppIds.size(); i++) {
630 int permissions = netdPermissionsAppIds.valueAt(i);
631 switch(permissions) {
632 case (INetd.PERMISSION_INTERNET | INetd.PERMISSION_UPDATE_DEVICE_STATS):
633 allPermissionAppIds.add(netdPermissionsAppIds.keyAt(i));
635 case INetd.PERMISSION_INTERNET:
636 internetPermissionAppIds.add(netdPermissionsAppIds.keyAt(i));
638 case INetd.PERMISSION_UPDATE_DEVICE_STATS:
639 updateStatsPermissionAppIds.add(netdPermissionsAppIds.keyAt(i));
641 case INetd.PERMISSION_NONE:
642 noPermissionAppIds.add(netdPermissionsAppIds.keyAt(i));
644 case INetd.PERMISSION_UNINSTALLED:
645 uninstalledAppIds.add(netdPermissionsAppIds.keyAt(i));
647 Log.e(TAG, "unknown permission type: " + permissions + "for uid: "
648 + netdPermissionsAppIds.keyAt(i));
652 // TODO: add a lock inside netd to protect IPC trafficSetNetPermForUids()
653 if (allPermissionAppIds.size() != 0) {
654 mNetd.trafficSetNetPermForUids(
655 INetd.PERMISSION_INTERNET | INetd.PERMISSION_UPDATE_DEVICE_STATS,
656 ArrayUtils.convertToIntArray(allPermissionAppIds));
658 if (internetPermissionAppIds.size() != 0) {
659 mNetd.trafficSetNetPermForUids(INetd.PERMISSION_INTERNET,
660 ArrayUtils.convertToIntArray(internetPermissionAppIds));
662 if (updateStatsPermissionAppIds.size() != 0) {
663 mNetd.trafficSetNetPermForUids(INetd.PERMISSION_UPDATE_DEVICE_STATS,
664 ArrayUtils.convertToIntArray(updateStatsPermissionAppIds));
666 if (noPermissionAppIds.size() != 0) {
667 mNetd.trafficSetNetPermForUids(INetd.PERMISSION_NONE,
668 ArrayUtils.convertToIntArray(noPermissionAppIds));
670 if (uninstalledAppIds.size() != 0) {
671 mNetd.trafficSetNetPermForUids(INetd.PERMISSION_UNINSTALLED,
672 ArrayUtils.convertToIntArray(uninstalledAppIds));
674 } catch (RemoteException e) {
675 Log.e(TAG, "Pass appId list of special permission failed." + e);
679 /** Should only be used by unit tests */
681 public Set<UidRange> getVpnUidRanges(String iface) {
682 return mVpnUidRanges.get(iface);
685 /** Dump info to dumpsys */
686 public void dump(IndentingPrintWriter pw) {
687 pw.println("Interface filtering rules:");
689 for (Map.Entry<String, Set<UidRange>> vpn : mVpnUidRanges.entrySet()) {
690 pw.println("Interface: " + vpn.getKey());
691 pw.println("UIDs: " + vpn.getValue().toString());
697 private static void log(String s) {
703 private static void loge(String s) {
707 private static void loge(String s, Throwable e) {